1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
|
#!/usr/bin/env pwsh
# 0.5.0 fixed BOM-less encoding issues with Unicode
#Requires -Modules @{ ModuleName = 'OpenAuthenticode'; ModuleVersion = '0.5.0' }
using namespace System.Collections.Generic
using namespace System.IO
using namespace System.Management.Automation
using namespace System.Management.Automation.Language
using namespace System.Security.Cryptography.X509Certificates
[CmdletBinding()]
param (
[Parameter(Mandatory)]
[string]
$CollectionPath,
[Parameter(Mandatory)]
[string]
$CertPath,
[Parameter(Mandatory)]
[string]
$UntrustedCertPath,
[Parameter(Mandatory)]
[string]
$CertPass
)
$ErrorActionPreference = 'Stop'
Function New-AnsiblePowerShellSignature {
<#
.SYNOPSIS
Creates and signed Ansible content for App Control/WDAC.
.DESCRIPTION
This function will generate the powershell_signatures.psd1 manifest and sign
it. The manifest file includes all PowerShell/C# module_utils and
PowerShell modules in the collection(s) specified. It will also create the
'*.authenticode' signature file for the exec_wrapper.ps1 used inside
Ansible itself.
.PARAMETER Certificate
The certificate to use for signing the content.
.PARAMETER Collection
The collection(s) to sign. This is set to ansible.builtin by default but
can be overriden to include other collections like ansible.windows.
.PARAMETER Skip
A list of plugins to skip by the fully qualified name. Plugins skipped will
not be included in the signed manifest. This means that modules will be run
in CLM mode and module_utils will be skipped entirely.
The values in the list should be the fully qualified name of the plugin as
referenced in Ansible. The value can also optionally include the extension
of the file if the FQN is ambigious, e.g. collection util that has both a
PowerShell and C# util of the same name.
Here are some examples for the various content types:
# Ansible Builtin Modules
'ansible.builtin.module_name'
# Ansible Builtin ModuleUtil
'Ansible.ModuleUtils.PowerShellUtil'
'Ansible.CSharpUtil'
# Collection Modules
'namespace.name.module_name'
# Collection ModuleUtils
'ansible_collections.namespace.name.plugins.module_utils.PowerShellUtil'
'ansible_collections.namespace.name.plugins.module_utils.PowerShellUtil.psm1'
'ansible_collections.namespace.name.plugins.module_utils.CSharpUtil'
'ansible_collections.namespace.name.plugins.module_utils.CSharpUtil.cs'
.PARAMETER Unsupported
A list of plugins to be marked as unsupported in the manifest and will
error when being run. List -Skip, the values here are the fully qualified
name of the plugin as referenced in Ansible.
.PARAMETER TimeStampServer
Optional authenticode timestamp server to use when signing the content.
.EXAMPLE
Signs just the content included in Ansible.
$cert = [X509Certificate2]::new("wdac-cert.pfx", "password")
New-AnsiblePowerShellSignature -Certificate $cert
.EXAMPLE
Signs just the content include in Ansible and the ansible.windows collection
$cert = [X509Certificate2]::new("wdac-cert.pfx", "password")
New-AnsiblePowerShellSignature -Certificate $cert -Collection ansible.builtin, ansible.windows
.EXAMPLE
Signs just the content in the ansible.windows collection
$cert = [X509Certificate2]::new("wdac-cert.pfx", "password")
New-AnsiblePowerShellSignature -Certificate $cert -Collection ansible.windows
.EXAMPLE
Signs content but skips the specified modules and module_utils
$skip = @(
# Skips the module specified
'namespace.name.module'
# Skips the module_utils specified
'ansible_collections.namespace.name.plugins.module_utils.PowerShellUtil'
'ansible_collections.namespace.name.plugins.module_utils.CSharpUtil'
# Skips signing the file specified
'ansible_collections.namespace.name.plugins.plugin_utils.powershell.file.ps1'
)
$cert = [X509Certificate2]::new("wdac-cert.pfx", "password")
New-AnsiblePowerShellSignature -Certificate $cert -Collection namespace.name -Skip $skip
.NOTES
This function requires Ansible to be installed and available in the PATH so
it can find the Ansible installation and collection paths.
#>
[CmdletBinding()]
param (
[Parameter(
Mandatory
)]
[X509Certificate2]
$Certificate,
[Parameter(
ValueFromPipeline,
ValueFromPipelineByPropertyName
)]
[string[]]
$Collection = "ansible.builtin",
[Parameter(
ValueFromPipelineByPropertyName
)]
[string[]]
$Skip = @(),
[Parameter(
ValueFromPipelineByPropertyName
)]
[string[]]
$Unsupported = @(),
[Parameter()]
[string]
$TimeStampServer
)
begin {
Write-Verbose "Attempting to get ansible-config dump"
$configRaw = ansible-config dump --format json --type base 2>&1
if ($LASTEXITCODE) {
$err = [ErrorRecord]::new(
[Exception]::new("Failed to get Ansible configuration, RC: ${LASTEXITCODE} - $configRaw"),
'FailedToGetAnsibleConfiguration',
[ErrorCategory]::NotSpecified,
$null)
$PSCmdlet.ThrowTerminatingError($err)
}
$config = $configRaw | ConvertFrom-Json
$collectionsPaths = @($config | Where-Object name -EQ 'COLLECTIONS_PATHS' | ForEach-Object value)
Write-Verbose "Collections paths to be searched: [$($collectionsPaths -join ":")]"
$signParams = @{
Certificate = $Certificate
HashAlgorithm = 'SHA256'
}
if ($TimeStampServer) {
$signParams.TimeStampServer = $TimeStampServer
}
$checked = [HashSet[string]]::new([StringComparer]::OrdinalIgnoreCase)
Function New-HashEntry {
[OutputType([PSObject])]
[CmdletBinding()]
param (
[Parameter(Mandatory, ValueFromPipeline)]
[FileInfo]
$File,
[Parameter(Mandatory)]
[AllowEmptyString()]
[string]
$PluginBase,
[Parameter()]
[AllowEmptyCollection()]
[string[]]
$Unsupported = @(),
[Parameter()]
[AllowEmptyCollection()]
[string[]]
$Skip = @()
)
process {
$nameWithoutExt = [string]::IsNullOrEmpty($PluginBase) ? $File.BaseName : "$PluginBase.$($File.BaseName)"
$nameWithExt = "$nameWithoutExt$($File.Extension)"
$mode = 'Trusted'
if ($nameWithoutExt -in $Skip -or $nameWithExt -in $Skip) {
Write-Verbose "Skipping plugin '$nameWithExt' as it is in the supplied skip list"
return
}
elseif ($nameWithoutExt -in $Unsupported -or $nameWithExt -in $Unsupported) {
Write-Verbose "Marking plugin '$nameWithExt' as unsupported as it is in the unsupported list"
$mode = 'Unsupported'
}
Write-Verbose "Hashing plugin '$nameWithExt'"
$hash = Get-FileHash -LiteralPath $File.FullName -Algorithm SHA256
[PSCustomObject]@{
Name = $nameWithExt
Hash = $hash.Hash
Mode = $mode
}
}
}
}
process {
$newHashParams = @{
Skip = $Skip
Unsupported = $Unsupported
}
foreach ($c in $Collection) {
try {
if (-not $checked.Add($c)) {
Write-Verbose "Skipping already processed collection $c"
continue
}
$metaPath = $null
$pathsToSign = [List[FileInfo]]::new()
$hashedPaths = [List[PSObject]]::new()
if ($c -eq 'ansible.builtin') {
Write-Verbose "Attempting to get Ansible installation path"
$ansiblePath = python -c "import ansible; print(ansible.__file__)" 2>&1
if ($LASTEXITCODE) {
throw "Failed to find Ansible installation path, RC: ${LASTEXITCODE} - $ansiblePath"
}
$ansibleBase = Split-Path -Path $ansiblePath -Parent
$metaPath = [Path]::Combine($ansibleBase, 'config')
$execWrapper = Get-Item -LiteralPath ([Path]::Combine($ansibleBase, 'executor', 'powershell', 'exec_wrapper.ps1'))
$pathsToSign.Add($execWrapper)
$ansiblePwshContent = [PSObject[]]@(
# These are needed for Ansible and cannot be skipped
Get-ChildItem -Path ([Path]::Combine($ansibleBase, 'executor', 'powershell', '*.ps1')) -Exclude "bootstrap_wrapper.ps1" |
New-HashEntry -PluginBase "ansible.executor.powershell"
# Builtin utils are special where the filename is their FQN
Get-ChildItem -Path ([Path]::Combine($ansibleBase, 'module_utils', 'csharp', '*.cs')) |
New-HashEntry -PluginBase "" @newHashParams
Get-ChildItem -Path ([Path]::Combine($ansibleBase, 'module_utils', 'powershell', '*.psm1')) |
New-HashEntry -PluginBase "" @newHashParams
Get-ChildItem -Path ([Path]::Combine($ansibleBase, 'modules', '*.ps1')) |
New-HashEntry -PluginBase $c @newHashParams
)
$hashedPaths.AddRange($ansiblePwshContent)
}
else {
Write-Verbose "Attempting to get collection path for $c"
$namespace, $name, $remaining = $c.ToLowerInvariant() -split '\.'
if (-not $name -or $remaining) {
throw "Invalid collection name '$c', must be in the format 'namespace.name'"
}
$foundPath = $null
foreach ($path in $collectionsPaths) {
$collectionPath = [Path]::Combine($path, 'ansible_collections', $namespace, $name)
Write-Verbose "Checking if collection $c exists in '$collectionPath'"
if (Test-Path -LiteralPath $collectionPath) {
$foundPath = $collectionPath
break
}
}
if (-not $foundPath) {
throw "Failed to find collection path for $c"
}
Write-Verbose "Using collection path '$foundPath' for $c"
$metaPath = [Path]::Combine($foundPath, 'meta')
$collectionPwshContent = [PSObject[]]@(
$utilPath = [Path]::Combine($foundPath, 'plugins', 'module_utils')
if (Test-Path -LiteralPath $utilPath) {
Get-ChildItem -LiteralPath $utilPath | Where-Object Extension -In '.cs', '.psm1' |
New-HashEntry -PluginBase "ansible_collections.$c.plugins.module_utils" @newHashParams
}
$modulePath = [Path]::Combine($foundPath, 'plugins', 'modules')
if (Test-Path -LiteralPath $modulePath) {
Get-ChildItem -LiteralPath $modulePath | Where-Object Extension -EQ '.ps1' |
New-HashEntry -PluginBase $c @newHashParams
}
)
$hashedPaths.AddRange($collectionPwshContent)
}
if (-not (Test-Path -LiteralPath $metaPath)) {
Write-Verbose "Creating meta path '$metaPath'"
New-Item -Path $metaPath -ItemType Directory -Force | Out-Null
}
$manifest = @(
'@{'
' Version = 1'
' HashList = @('
foreach ($content in $hashedPaths) {
# To avoid encoding problems with Authenticode and non-ASCII
# characters, we escape them as Unicode code points. We also
# escape some ASCII control characters that can cause escaping
# problems like newlines.
$escapedName = [Regex]::Replace(
$content.Name,
'([^\u0020-\u007F])',
{ '\u{0:x4}' -f ([uint16][char]$args[0].Value) })
$escapedHash = [CodeGeneration]::EscapeSingleQuotedStringContent($content.Hash)
$escapedMode = [CodeGeneration]::EscapeSingleQuotedStringContent($content.Mode)
" # $escapedName"
" @{"
" Hash = '$escapedHash'"
" Mode = '$escapedMode'"
" }"
}
' )'
'}'
) -join "`n"
$manifestPath = [Path]::Combine($metaPath, 'powershell_signatures.psd1')
Write-Verbose "Creating and signing manifest for $c at '$manifestPath'"
Set-Content -LiteralPath $manifestPath -Value $manifest -NoNewline
Set-OpenAuthenticodeSignature -LiteralPath $manifestPath @signParams
$pathsToSign | ForEach-Object -Process {
$tempPath = Join-Path $_.DirectoryName "$($_.BaseName)_tmp.ps1"
$_ | Copy-Item -Destination $tempPath -Force
try {
Write-Verbose "Signing script '$($_.FullName)'"
Set-OpenAuthenticodeSignature -LiteralPath $tempPath @signParams
$signedContent = Get-Content -LiteralPath $tempPath -Raw
$sigIndex = $signedContent.LastIndexOf("`r`n# SIG # Begin signature block`r`n")
if ($sigIndex -eq -1) {
throw "Failed to find signature block in $($_.FullName)"
}
# Ignore the first and last \r\n when extracting the signature
$sigIndex += 2
$signature = $signedContent.Substring($sigIndex, $signedContent.Length - $sigIndex - 2)
$sigPath = Join-Path $_.DirectoryName "$($_.Name).authenticode"
Write-Verbose "Creating signature file at '$sigPath'"
Set-Content -LiteralPath $sigPath -Value $signature -NoNewline
}
finally {
$tempPath | Remove-Item -Force
}
}
}
catch {
$_.ErrorDetails = "Failed to process collection ${c}: $_"
$PSCmdlet.WriteError($_)
continue
}
}
}
}
$cert = [X509Certificate2]::new($CertPath, $CertPass)
$untrustedCert = [X509Certificate2]::new($UntrustedCertPath, $CertPass)
$sigParams = @{
Certificate = $cert
Collection = 'ansible.builtin', 'ansible.windows', 'ns.col', 'ns.module_util_ref'
Skip = @(
'ns.col.skipped'
'ns.col.inline_signed'
'ns.col.inline_signed_not_trusted'
'ns.col.unsigned_module_with_util'
'ansible_collections.ns.col.plugins.module_utils.CSharpUnsigned'
'ansible_collections.ns.col.plugins.module_utils.PwshUnsigned'
)
Unsupported = 'ns.col.unsupported'
}
New-AnsiblePowerShellSignature @sigParams
@(
"$CollectionPath/plugins/modules/inline_signed.ps1"
"$CollectionPath/roles/app_control_script/files/signed.ps1"
) | Set-OpenAuthenticodeSignature -Certificate $cert -HashAlgorithm SHA256
@(
"$CollectionPath/plugins/modules/inline_signed_not_trusted.ps1"
) | Set-OpenAuthenticodeSignature -Certificate $untrustedCert -HashAlgorithm SHA256
|
